How to create a new certificate for a new url on rocky server linux 9 (for jfrog)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
tortuga.etpi.com.br (new url jfrog4.etpi.com.br)

I ran this command:
cerbot --apache -d jfrog4.etpi.com.br

It produced this output:
error log:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f5389999b20 >: Failed to establish a new connection: [Errno -2] Name or service not known'))
2024-03-25 12:50:59,819:ERROR:certbot._internal.log:An unexpected error occurred:
2024-03-25 12:50:59,820:ERROR:certbot._internal.log:requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f5389999b20>: Failed to establish a new connection: [Errno -2] Name or service not known'))

My web server is (include version):
httpd
Server version: Apache/2.4.57 (Rocky Linux)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

================================================================

Hello, I need to ask a question about creating a new certificate (in fact it is already created, I need to add a new virtualhost) for a new url jfrog4.etpi.com.br, but for this to be done correctly I I need to create a new virtualhost file with the name of the url in site-avaible and or something is missing, and then what commands would I have to run?

Server: Rocky Linux 9

You need to know whether or not I have to create a virtualhost file and how to correctly configure it to accept the letsencrypt certificate

Do I need it for iptables (ip6tables)?

[image]
[image]

2

This error says that your system cannot resolve the hostname for the ACME API. That's a generic issue for your system (not being able to resolve hostnames to IP addresses) and needs to be addressed before actually getting to the stage of trying to issue a certificate.

Once you've fixed your DNS resolving capabilities, you can try again.

2 Likes
3

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

1 Like
4

Here is what DNS Spy report for etpi.com.br shows for the domain etpi.com.br

image
image1308×966 30.2 KB

1 Like
5

como corrigir DNS do meu servidor? pode ser o firewall bloqueando?

6 
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server localhost (/etc/httpd/sites-enabled/localhost.conf:1)
         port 80 namevhost localhost (/etc/httpd/sites-enabled/localhost.conf:1)
                 alias localhost
         port 80 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:1)
         port 80 namevhost localhost (/etc/httpd/sites-enabled/localhost.conf:1)
                 alias localhost
         port 80 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:1)
         port 80 namevhost www.tortuga.etpi.com.br (/etc/httpd/sites-enabled/tortuga.epti.com.br:1)
*:443                  is a NameVirtualHost
         default server tortuga.etpi.com.br (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost tortuga.etpi.com.br (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:9)
         port 443 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:9)
         port 443 namevhost www.tortuga.etpi.com.br (/etc/httpd/sites-enabled/tortuga.epti.com.br:6)

I removed the virtualhost that I had created before, for jfrog4.etpi.com.br, as I'm almost sure there was a configuration error... lol

[image]

7

but is there something wrong?

[image]

8

Depends of the cause of the issue.

It could be a firewall, yes.

Let's check some other things first. What's the result of the following commands:

cat /etc/resolv.conf

dig +trace google.com

dig +trace acme-v02.api.letsencrypt.org

1 Like
9

==============================
/etc/resolv.conf

#search invalid
nameserver 1.1.1.1
nameserver 213.136.95.11
nameserver 213.136.95.10
search domain.name

==============================
dig +trace google.com

; <<>> DiG 9.16.23-RH <<>> +trace google.com
;; global options: +cmd
. 516418 IN NS a.root-servers.net.
. 516418 IN NS b.root-servers.net.
. 516418 IN NS c.root-servers.net.
. 516418 IN NS d.root-servers.net.
. 516418 IN NS e.root-servers.net.
. 516418 IN NS f.root-servers.net.
. 516418 IN NS g.root-servers.net.
. 516418 IN NS h.root-servers.net.
. 516418 IN NS i.root-servers.net.
. 516418 IN NS j.root-servers.net.
. 516418 IN NS k.root-servers.net.
. 516418 IN NS l.root-servers.net.
. 516418 IN NS m.root-servers.net.
. 516418 IN RRSIG NS 8 0 518400 20240407130000 20240325120000 30903 . tkBlFNWcDjW5HfdG2QdW3kNRlKRowXnsZEF/kkcA1G8koUr0WYXrlTJP azAOZujpEd4sSyuqoNFoGGQOsd2dFgTRlb3NrimamFC6SCfxMTouvN/O 1/vNBpu3nFI1xyttaIFmBtvMb2i0XmrWgmb1cBNjH566tPCMBqdx6VTy 04UfqDI0pWPlnl44ArgOe7nmXabvMfzRv8LO/9wg1KFVtdbQd48Wm1Aa 5caKfz4H7OM5XXAwKK7UGJidIEOfAwXh4WXrEjRc2hdte8R4phFBM8L7 9W1bK1xjRsIr4jjIj7fiqRfOBxqCGYwOyNfuMcCYgLRgO4L1BZDsxdDP WPwr+Q==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 10 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20240407130000 20240325120000 30903 . xs17GOlZYy8wsxEdbJq3lXifbSX7GW/ZlpcBiGJgH2USpluqwJmKbwWY SCWr1iZYChHfVfSXl2n2Py9BBMnhL7XtVZ8K/FSkbOxKughnR4sOD+1i byflu46iilVzHWxGuR7DPe76K7Fp6ShLc42mJxMUfAJB1WGjIItWsByp 9WidDUthgLJWyy9q1elKE3biou8UCbBhdfN8tlZwWQ/1vySXGokK0fnd ghoT+JEfelooMAZm+PYJrvA9yS+yXtTfGos1/1u7xrYypWftGH4tRvtq rsQXrM27zMTP30iwlNpfumPTZekhtXVGi9QupqZ3ggOaThx3woCNnhsK 7gdPQg==
;; Received 1170 bytes from 199.7.91.13#53(d.root-servers.net) in 22 ms

google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 13 2 86400 20240329042457 20240322031457 4534 com. kl0onLpKNQYiCdaXwCuzQH/SmK+FB/81W0dxZY0fW79L65evDIyi4QiE AoNhJ7IzNQylPNcTQnNYsErIIOv+cQ==
S84BKCIBC38P58340AKVNFN5KR9O59QC.com. 86400 IN NSEC3 1 1 0 - S84BR9CIB2A20L3ETR1M2415ENPP99L8 NS DS RRSIG
S84BKCIBC38P58340AKVNFN5KR9O59QC.com. 86400 IN RRSIG NSEC3 13 2 86400 20240330042553 20240323031553 4534 com. sTp66eaDeHeSwOI2jH1MTD8lyePEUbrvEv5e2URPppsxEDvVkLPwUqjo Oms2zQcemBkvQnrl6PSWgTxKk6EX5A==
;; Received 644 bytes from 192.42.93.30#53(g.gtld-servers.net) in 26 ms

google.com. 300 IN A 142.250.184.238
;; Received 55 bytes from 216.239.38.10#53(ns4.google.com) in 20 ms

=================================================

dig +trace acme-v02.api.letsencrypt.org

; <<>> DiG 9.16.23-RH <<>> +trace acme-v02.api.letsencrypt.org
;; global options: +cmd
. 516309 IN NS a.root-servers.net.
. 516309 IN NS b.root-servers.net.
. 516309 IN NS c.root-servers.net.
. 516309 IN NS d.root-servers.net.
. 516309 IN NS e.root-servers.net.
. 516309 IN NS f.root-servers.net.
. 516309 IN NS g.root-servers.net.
. 516309 IN NS h.root-servers.net.
. 516309 IN NS i.root-servers.net.
. 516309 IN NS j.root-servers.net.
. 516309 IN NS k.root-servers.net.
. 516309 IN NS l.root-servers.net.
. 516309 IN NS m.root-servers.net.
. 516309 IN RRSIG NS 8 0 518400 20240407130000 20240325120000 30903 . tkBlFNWcDjW5HfdG2QdW3kNRlKRowXnsZEF/kkcA1G8koUr0WYXrlTJP azAOZujpEd4sSyuqoNFoGGQOsd2dFgTRlb3NrimamFC6SCfxMTouvN/O 1/vNBpu3nFI1xyttaIFmBtvMb2i0XmrWgmb1cBNjH566tPCMBqdx6VTy 04UfqDI0pWPlnl44ArgOe7nmXabvMfzRv8LO/9wg1KFVtdbQd48Wm1Aa 5caKfz4H7OM5XXAwKK7UGJidIEOfAwXh4WXrEjRc2hdte8R4phFBM8L7 9W1bK1xjRsIr4jjIj7fiqRfOBxqCGYwOyNfuMcCYgLRgO4L1BZDsxdDP WPwr+Q==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 5 ms

org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 86400 IN DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org. 86400 IN RRSIG DS 8 1 86400 20240407130000 20240325120000 30903 . HdJY1KX6uNXbbB0B1bEJcgyM+fd4VIKypVL7u4NSuy72I3bDLhcLOm25 vAvB0KSDnFQ3J2i3hphWRVkOXEl+5HALSFchM4Y2c2Pox3sRwrNwfgBE rY76XZ4U5jGkIeJFUvasTxv246g3cSeov0UtsQ0b625VotNnjFdr6YB8 Ve9vbF/g9Tjmrerqj6ePhZIJssG3lyJkQsohY2xbsmI04kJk+qkF3+lN +BFRD7AqwC1naINxf/xbzrjQSMjzUUGi4MCqQev1oGcW/BSTfMIilZFu PqQvcNjHCmHjKRe4Oad0wumIxp5mz3VtpehVeVKSgK+cOmM+abtH4Vkv ouTYkA==
;; Received 800 bytes from 202.12.27.33#53(m.root-servers.net) in 247 ms

letsencrypt.org. 3600 IN NS owen.ns.cloudflare.com.
letsencrypt.org. 3600 IN NS vera.ns.cloudflare.com.
gdtpongmpok61u9lvnipqor8lra9l4t0.org. 3600 IN NSEC3 1 1 0 332539EE7F95C32A GDTREA8KMJ2RNEQEN4M2OGJ26KFSUKJ7 NS SOA RRSIG DNSKEY NSEC3PARAM
p6tf1pkmp2952dasn90et9gnvrg5fvhi.org. 3600 IN NSEC3 1 1 0 332539EE7F95C32A P6THCCAEJ4K2P672K4CP0LG7FA25NN1N NS DS RRSIG
gdtpongmpok61u9lvnipqor8lra9l4t0.org. 3600 IN RRSIG NSEC3 8 2 3600 20240415184216 20240325174216 3093 org. EI/dFiIYYkv4ZhP96x0ANx/SxILk+88LQiXxzHG3aNANaIuH3cXyxTyF RsGV/QakfZV1/0dJjM62uRxmavk6ckAH6RSvqTvrt6V1WXDnS5/hoCbi 3c4cWxRWf03gTc9FH1fUpUKF06vPJyKWEOE9xCjmk3g9x0M/x9o1nTXL hz4=
p6tf1pkmp2952dasn90et9gnvrg5fvhi.org. 3600 IN RRSIG NSEC3 8 2 3600 20240415152912 20240325142912 3093 org. flAcDeq7xg+ClUBgI150ZBkkY28G4P1QjJBfkKjuF7LZRBhyaH99JVli J6MNFeENeTwLrdyp593BrEJTrl+odqsNtfP/wF7JzOL+5RIL7lwPs9ji LkzzCIsfUyjmksGuhkuzQK4uKBLOt0vsE77d26H3ELU5S8awdrUQCQKK B60=
;; Received 613 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 25 ms

acme-v02.api.letsencrypt.org. 7200 IN CNAME prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 300 IN CNAME ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
;; Received 139 bytes from 173.245.59.219#53(owen.ns.cloudflare.com) in 7 ms

10

That doesn't look too bad.. What does the following commands output?:

dig +trace ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com

nslookup ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com

And another question: are you perhaps running Certbot in Docker by any chance?

1 Like
11

dig +trace ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com

; <<>> DiG 9.16.23-RH <<>> +trace ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
;; global options: +cmd
. 514541 IN NS a.root-servers.net.
. 514541 IN NS b.root-servers.net.
. 514541 IN NS c.root-servers.net.
. 514541 IN NS d.root-servers.net.
. 514541 IN NS e.root-servers.net.
. 514541 IN NS f.root-servers.net.
. 514541 IN NS g.root-servers.net.
. 514541 IN NS h.root-servers.net.
. 514541 IN NS i.root-servers.net.
. 514541 IN NS j.root-servers.net.
. 514541 IN NS k.root-servers.net.
. 514541 IN NS l.root-servers.net.
. 514541 IN NS m.root-servers.net.
. 514541 IN RRSIG NS 8 0 518400 20240407130000 20240325120000 30903 . tkBlFNWcDjW5HfdG2QdW3kNRlKRowXnsZEF/kkcA1G8koUr0WYXrlTJP azAOZujpEd4sSyuqoNFoGGQOsd2dFgTRlb3NrimamFC6SCfxMTouvN/O 1/vNBpu3nFI1xyttaIFmBtvMb2i0XmrWgmb1cBNjH566tPCMBqdx6VTy 04UfqDI0pWPlnl44ArgOe7nmXabvMfzRv8LO/9wg1KFVtdbQd48Wm1Aa 5caKfz4H7OM5XXAwKK7UGJidIEOfAwXh4WXrEjRc2hdte8R4phFBM8L7 9W1bK1xjRsIr4jjIj7fiqRfOBxqCGYwOyNfuMcCYgLRgO4L1BZDsxdDP WPwr+Q==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 18 ms

com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20240407170000 20240325160000 30903 . nW4n/dsOYsJKQ1T91wMuq3Bn5ysE0qmaUQmHNkp6kylxeYmiGyPg5AI3 9z4qcf3SEl5D8KajosCoBRNSbi0vklFquJDqKW9CXomQI7XqhD/qcImF zqEjSpZAipDITB1rJPXR0zyARXYS9QBJ13IGd84etOyS9LHSs2epdL3V gu0j8wC4iR3OJiLsR7clWQpG4VxpAtfSGjB9PALLhFvVd4wbnaAUiVvX Q7ADyL3cJIfXcTP2fCK4PJOSpi3LdPMqJlXPM8aQ2JG+daDvO8v6f5Lc KVRnF94fO/VEnDAqu9y9FTOIex2luiIrAKZc89/qU+xEUhE737dpoS/f PttGXg==
;; Received 1209 bytes from 192.5.5.241#53(f.root-servers.net) in 5 ms

pacloudflare.com. 172800 IN NS brenda.ns.cloudflare.com.
pacloudflare.com. 172800 IN NS guy.ns.cloudflare.com.
pacloudflare.com. 86400 IN DS 2371 13 2 90E28B5A52CA201E0A028C5ADFA806D7767CF1B36FB7544D87740255 3E305ABB
pacloudflare.com. 86400 IN RRSIG DS 13 2 86400 20240401064412 20240325053412 4534 com. GG4B9amU8rzkOCgVoMcbPuZ8L42LuZdSP+0IcKqgE6Dqk8D3VWHVSywP TtCgMpraQgzR64WctU6nYHwpQ8sfVw==
;; Received 542 bytes from 192.42.93.30#53(g.gtld-servers.net) in 19 ms

ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 300 IN A 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 300 IN RRSIG A 13 3 300 20240326205947 20240324185947 34505 pacloudflare.com. CefObdhaz+C/djnpdXp/RErod2GzdWLNCoYSmD7bwzPxXtId+CngiP1J qnr85fI9VO7EhOY1GLLgiJB6qibZzQ==
;; Received 206 bytes from 108.162.192.77#53(brenda.ns.cloudflare.com) in 5 ms

====================================================================

nslookup ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

==============================================

follows command information.

I'm not using docker.

[image]

12

@etpi2024 I was just supplying additional supplemental information.

1 Like
13

thanks rs

2 Likes
14

I believe it is something I had done when creating the virtualhost, as I need to create a new one with the url jfrog4.etpi.com.br on port "3355", which whenever someone types on port 80 and goes to https on port 3355.. .

==================================================================

This site tells you how to create a certificate for Rocky Linux 9 as a virtualhost, do you know what?

exemplo:

<VirtualHost *:80>
        ServerName www.yourdomain.com
        ServerAdmin username@rockylinux.org
        Redirect / https://www.yourdomain.com/
</VirtualHost>
<Virtual Host *:443>
        ServerName www.yourdomain.com
        ServerAdmin username@rockylinux.org
        DocumentRoot /var/www/sub-domains/com.yourdomain.www/html
        DirectoryIndex index.php index.htm index.html
        Alias /icons/ /var/www/icons/
        # ScriptAlias /cgi-bin/ /var/www/sub-domains/com.yourdomain.www/cgi-bin/

    CustomLog "/var/log/httpd/com.yourdomain.www-access_log" combined
    ErrorLog  "/var/log/httpd/com.yourdomain.www-error_log"

        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3 -TLSv1
        SSLHonorCipherOrder on
        SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384
:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

        SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem

        <Directory /var/www/sub-domains/com.yourdomain.www/html>
                Options -ExecCGI -Indexes
                AllowOverride None

                Order deny,allow
                Deny from all
                Allow from all

                Satisfy all
        </Directory>
</VirtualHost>
15

This file is being loaded twice:
[and it's using an alias for the same base name]

port 80 namevhost localhost (/etc/httpd/sites-enabled/localhost.conf:1)
            alias localhost
port 80 namevhost localhost (/etc/httpd/sites-enabled/localhost.conf:1)
            alias localhost

This file is being loaded twice:

port 80 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:1)
port 80 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:1)

This file only covers the "www" name:

port 80 namevhost www.tortuga.etpi.com.br (/etc/httpd/sites-enabled/tortuga.epti.com.br:1)

This name is being loaded three times - across two different files:
[One of the files is being loaded twice]

port 443 namevhost tortuga.etpi.com.br (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:9)
port 443 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:9)

This file only covers the "www" name:

port 443 namevhost www.tortuga.etpi.com.br (/etc/httpd/sites-enabled/tortuga.epti.com.br:6)
1 Like
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.